Share Point Server Security with Joel Oleson


Published on

From Authentication and Authorization to ports, firewall rules, and server to server communication, this session goes into depth on a number of topic with further resources on SharePoint Security by Joel Oleson

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Share Point Server Security with Joel Oleson

    1. 1. Office SharePoint Server 2007: Security Authentication and Authorization Joel Oleson Sr. Technical Product Manager SharePoint Team
    2. 2. Key Take Aways <ul><li>Learn in this session </li></ul><ul><ul><li>What Security features are in the box </li></ul></ul><ul><ul><li>Authentication and Authorization </li></ul></ul><ul><ul><li>Extranet Topologies </li></ul></ul><ul><ul><li>What Microsoft Solutions make it better </li></ul></ul>
    3. 3. Agenda <ul><li>Agenda </li></ul><ul><ul><li>Platform Security </li></ul></ul><ul><ul><li>Windows and ASP.NET authentication </li></ul></ul><ul><ul><li>3 Tiered Admin & Managing security </li></ul></ul><ul><ul><li>Compliance from bottom to top </li></ul></ul><ul><ul><li>Web farm Configuration </li></ul></ul><ul><ul><li>Microsoft Products & Solutions </li></ul></ul><ul><ul><li>Questions? </li></ul></ul>
    4. 4. SharePoint 2007 Feature Areas Collaboration Business Intelligence Portal Business Forms Search Content Management Platform Services Workspaces, Mgmt, Security, Storage, Topology, Site Model
    5. 5. User Authentication <ul><li>Authentication = Who are you? </li></ul><ul><ul><li>User identity </li></ul></ul><ul><ul><li>User groups/roles as defined by the directory </li></ul></ul><ul><ul><li>Same in WSS and MOSS! </li></ul></ul><ul><li>Windows </li></ul><ul><ul><li>Windows integrated, Basic, Digest, etc </li></ul></ul><ul><li>ASP.NET Pluggable Authentication </li></ul><ul><ul><li>Forms – locally hosted login form </li></ul></ul><ul><ul><li>Web SSO – remotely hosted login form </li></ul></ul>
    6. 6. Windows Authentication <ul><li>Provided by IIS – SharePoint consumes </li></ul><ul><li>Windows Integrated </li></ul><ul><ul><li>Kerberos/Negotiate </li></ul></ul><ul><ul><li>NTLM </li></ul></ul><ul><li>Basic </li></ul><ul><li>Digest </li></ul><ul><li>Certificates (Must use IIS to configure) </li></ul>
    7. 7. SharePoint & ASP.NET Authentication <ul><li>Pluggable authentication framework </li></ul><ul><ul><li>Two related providers </li></ul></ul><ul><ul><ul><li>Membership – user identities </li></ul></ul></ul><ul><ul><ul><li>Role – roles/groups/attributes for a user </li></ul></ul></ul><ul><li>Out-of-the-box providers </li></ul><ul><ul><li>LDAP (Office SharePoint Server) </li></ul></ul><ul><ul><li>SQL Server (ASP.NET) </li></ul></ul><ul><ul><li>AD – single domain only (ASP.NET) </li></ul></ul>
    8. 8. Admin Security Layers <ul><li>Three Tier Admin </li></ul><ul><ul><li>Web-based </li></ul></ul><ul><ul><li>Role & task delineated </li></ul></ul><ul><ul><li>Controlled delegation </li></ul></ul><ul><ul><li>Secure isolation </li></ul></ul><ul><li>Shared Services(MOSS) </li></ul><ul><li>Single Sign on </li></ul><ul><li>Service Configuration </li></ul><ul><li>Central Admin </li></ul><ul><li>Authentication </li></ul><ul><li>Security Policies </li></ul><ul><li>Farm Configuration </li></ul><ul><li>Site Settings </li></ul><ul><li>Site Permissions </li></ul><ul><li>Auditing & Expiration Policies & IRM </li></ul>Site Admins IT Server Admins Service Admins (ex. search)
    9. 9. Permissions Management <ul><li>Group-based permissions management </li></ul><ul><li>Role-based permissions management </li></ul><ul><li>Fine-grained permissions control </li></ul><ul><ul><li>List, library, folder, item, and document </li></ul></ul><ul><li>Anonymous access </li></ul><ul><li>Security trimmed user interface! </li></ul><ul><li>Explicit access denied experience! </li></ul>
    10. 10. SharePoint Groups <ul><li>New permissions management experience </li></ul><ul><ul><li>Three default groups </li></ul></ul><ul><ul><ul><li>Owners – full control </li></ul></ul></ul><ul><ul><ul><li>Members – contribute to existing lists and libraries </li></ul></ul></ul><ul><ul><ul><li>Visitors – read only </li></ul></ul></ul><ul><ul><li>Integrated with user information list </li></ul></ul><ul><li>SharePoint groups can be assigned permissions anywhere in the site collection </li></ul><ul><li>Group administration scales better </li></ul>
    11. 11. Security Policy <ul><li>Central enforced permissions for all sites in the web application </li></ul><ul><ul><li>GRANT and DENY </li></ul></ul><ul><ul><li>Bound to web application/zone </li></ul></ul><ul><li>Scenarios </li></ul><ul><ul><li>Full read – search crawling accounts, auditors, legal compliance </li></ul></ul><ul><ul><li>Deny all – security control, regulatory compliance </li></ul></ul><ul><ul><li>Deny write – extranet lockdown </li></ul></ul>
    12. 12. Compliance <ul><li>Auditing </li></ul><ul><ul><li>Content Modifications </li></ul></ul><ul><ul><li>Content Viewing </li></ul></ul><ul><ul><li>Deletion </li></ul></ul><ul><ul><li>More </li></ul></ul><ul><li>Expiration </li></ul><ul><li>Security Report </li></ul><ul><li>Policy Modification </li></ul><ul><li>Custom Report </li></ul>
    13. 13. Summary <ul><li>Data Classification Enforcement </li></ul><ul><ul><li>Information Rights Management Integration </li></ul></ul><ul><ul><li>Information Policies – auditing, expiration </li></ul></ul><ul><ul><li>Groove </li></ul></ul><ul><li>Secure Collaboration Capabilities </li></ul><ul><ul><li>Item Level Security (ILS) – Secured Objects (SO) </li></ul></ul><ul><ul><li>Publishing through Internet Security and Acceleration Server (ISA) and Intelligent Application Gateway (IAG) </li></ul></ul><ul><li>Integrated Security Services </li></ul><ul><ul><li>Active Directory Federation Services (ADFS) </li></ul></ul><ul><ul><li>Forms-Based Authentication and Single Sign-on </li></ul></ul><ul><ul><li>MOSS for Search – security trimmed search results </li></ul></ul><ul><li>Central Administration </li></ul><ul><ul><li>Pluggable Authentication – Pluggable Authentication Provider </li></ul></ul><ul><ul><li>Security Policies; Major and minor versions, Web Application </li></ul></ul>
    14. 14. MOSS Farm Inter-Server Communications <ul><li>User Access </li></ul><ul><li>Query/Index Propagation </li></ul><ul><li>MOSS Web Services </li></ul><ul><li>SQL </li></ul><ul><li>Indexing </li></ul><ul><li>SSO </li></ul>
    15. 15. Example Multi-Farm Topology
    16. 16. Sample Extranet Network Topology <ul><li>“ Back-to-back” or “Dual-screened” Perimeter Network: </li></ul>
    17. 18. Secure Collaboration Microsoft Forefront Security for SharePoint helps businesses protect their Microsoft Office SharePoint 2007 and Windows SharePoint Services 3.0 collaboration environments by eliminating documents containing malicious code, confidential information, and inappropriate content. <ul><li>Ships with & manages multiple antivirus engines </li></ul><ul><li>File & content keyword filtering </li></ul><ul><li>Support for Open XML & IRM-protected docs </li></ul><ul><li>Deep integration with SharePoint Server </li></ul><ul><li>Scanning innovations and performance controls </li></ul><ul><li>Maintains uptime and optimizes performance </li></ul><ul><li>Easily manage configuration and operation </li></ul><ul><li>Automated signature updates </li></ul><ul><li>Reporting, notifications, and alerts </li></ul>Comprehensive Protection Optimized Performance Simplified Management
    18. 19. Forefront Security for SharePoint Protection Scenarios Internet Malware Inappropriate Content Extranet Indexing Server Web Front End SQL Back End Malware Inappropriate Content Management Firewall External SharePoint Users Internal SharePoint Users Management
    19. 20. Forefront Edge Products: Key Scenarios Remote Access VPN, OWA & SharePoint Publishing Firewall and Forward Proxy Secure Remote Access Internet Access Control & Protection Forefront Edge Security and Access products provide enhanced network edge protection and application-centric, policy-based access to corporate IT infrastructures Branch Offices Protection Features, Caching, HTTP Compression SSL VPN Based Remote Access    
    20. 21. Intelligent Application Gateway 2007 IAG provides an easy and secure remote access solution for employees, partners and customers by combining SSL-VPN with application optimization technologies, a Web application firewall, and endpoint security controls. IAG includes a robust and comprehensive end point health security detection mechanism and cache cleanup tailored to the specific application and environments used for access. This allows administrators to publish granular and restricted access to unmanaged machines and extend more comprehensive and rich access from corporate assets . With wizard driven configuration, easy to use policies and a highly intuitive user experience, IAG ensures a fast and easy deployment allowing employees, partners and vendors simple and secure access. Ongoing management and control is simplified via updates to application and endpoint policies. Easy Management and Customization Application Intelligence At the heart of IAG’s is a highly granular and intelligent application firewall that improves security, functionality and performance of most applications. Default policies are in place to address common applications such as SharePoint, Exchange, Terminal Services and policies can easily be created to enhance proprietary line of business applications. Endpoint & Access Security
    21. 22. External Collaboration Toolkit for SharePoint SOLUTION ACCELERATORS Act faster. Go further. Best practices and tools to collaborate with team members from different organizations –across the Internet Tested guidance by Microsoft security experts <ul><li>Easy to Deploy and Use </li></ul><ul><li>Site Provisioning Approval Workflow </li></ul><ul><li>ADAM .NET LDAP Provider </li></ul><ul><li>SharePoint Admin UI and User Provisioning </li></ul>
    22. 23. Guidance for a More Secure Infrastructure <ul><li>TechNet Securing Your Sites, Servers, and Server Hardening </li></ul><ul><li>7 New Features that Enhance Security in SharePoint </li></ul><ul><li>Security and Protection for Office SharePoint Server 2007 </li></ul><ul><li>TechNet Webcast: SharePoint Security from Service Accounts to Item-Level Access (Level 200) </li></ul><ul><li>Forefront Security for SharePoint </li></ul><ul><li>SharePoint Team Security Blog Posts </li></ul>
    23. 24. Application Security Configuration <ul><li>Rights mask </li></ul><ul><li>Blocked file types </li></ul><ul><li>Form digest timeout </li></ul><ul><li>Safe control list </li></ul><ul><li>Code access security </li></ul><ul><li>Code execution paths </li></ul><ul><li>Virus scanning </li></ul>
    24. 25. References <ul><li>Kerberos Protocol Transition and Constrained Delegation </li></ul><ul><li>ASP.NET Developer Center: Provider Toolkit </li></ul><ul><li>SharePoint Server 2007 Tech Center </li></ul><ul><li>Planning Logical Architecture </li></ul>
    25. 26. © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.